Posted
by
Cliff
on Thursday September 02, 2004 @07:55AM
from the how-can-you-know-for-sure dept.

ReallyCurious asks: "Recently, I've noticed a lot of junk email in my inbox reporting 'Mail delivery failure' or 'Undeliverable'. Some of these had documents attached, so I figured this was just a worm variant. But these messages keep coming. I worry that my machine has been turned into a 'Spam Zombie'. I don't see any suspicious processes running, but maybe it only runs for a few seconds, and at irregular times. I run a Windows 98 laptop, sometimes wirelessly connected to broadband (a few hours a day, on average), but I had to remove my virus software years ago because it was locking my system up, so I'm wide open. I've tried to be a good citizen and have been shopping for new virus software, but prices are running $40-$70, and most of these are just for upgrades (not even counting the mandatory 'subscriptions')! Is there an open or free virus fighting solution that's reliable and available for Windows? I'd be happy to run it ASAP."

Exactly. Email worms and spammers frequently forge the sender. The problem is clueless mail adminitrators that configure their mail relays to accept mail to anyone (even unknown users) and then generate a bounce message when it can't be delivered (user unknown...) All scanning (spam and AV) and user verification really needs to be performed at initial SMTP reception and not after the fact.

Unfortunately, older versions of Exchange are stupid in this respect, and accept pretty much anything. I believe you even have to specifically configure the newer versions of exchange too to behave correctly (someone correct me if I'm wrong here... I no longer use exchange, just read about how 2003 works...)

IMHO, if you are running an older version of exchange without a good Unix relay in front of it that can do all this validation and scanning for you, you are a big part of the problem.

I really like qmail, but it does make the braindead design of accepting mail, then processing it. (For reasons of efficiency or something; it's supposed to be a feature.)

The folks at LinuxMagic make a replacement [linuxmagic.com] that's a bitch to get working, but does all kinds of checking during the SMTP transaction, like valid user checking, virus scanning, etc. You're supposed to be able to plug in arbitrary checkers, but I never got around to trying. The

It's possible to reconfigure qmail, atleast i used a hacked up qmail-scanner that rejects spam or virus content.. I want to make it reject invalid users too, but that's hard to do on the secondary mailservers that don't know which accounts exist on the primary server, and most spams are relayed through the secondaries.

Yup, if you use your undisguised hotmail address on every one of your slashdot postings-- hypothetically, of course--you will see many bounce notices that dutifully land in your hotmail junk mail folder, using up your meager 2MB quota 40KB at a time.

I just got a bounce message today where I allegedly sent a message to someone that bounced. Strange thing it was sent from a dormant e-mail of mine which is not configured anywhere in any of my local programs and only an old 'official' contact on the web. (A mail alias on my domain...)

I would give it a second thought, it is likley someone you have had an email corispondence with and can therfore warn.

The best bet is to find out what virus it is (scan the email). And tracert the originating IP address. this should give you the ISP and maybe a state. Look up the virus to find the file names it creates and tell your family/friends that match the ISP/location to search for the file.

As he said, the email address is inactive, but is displayed on the web. Spammers don't just look on the web for email address to spam, but also address to spoof spam from. The only connection he had with the spammer was an http connection for 1/2 a second.

The story submitter is worried about his machine, not someone elses and if he wants to be sure he has no spyware on his system he should use HijackThis by Merjin:

http://www.spywareinfo.com/~merijn/ (official site, down ATM)

http://www.tomcoyote.org/hjt/

Many popular anti-spyware forums accept posting a HijackThis log their HijackThis expert members can examine and advise you on. (e.g. The LavaSoft AdAware forums allow this but they require you post an AdAware log first:)

I also know how to create relatively grammar-error free posts, as well. (ONE friggin error (-_-)

I want to call you an idiot because obviously I know what I'm doing as can be seen from my previous post -- (e.g. it should be obvious I left amenities out because I was in a bind for time or something similar -- not because I don't know how..)

Please be happy you have the information and try not to criticize too much. It's not like I post onto slashdot for a living or something..

How do you know your machine isn't infected with something none of the anti spyware programs detect yet? It is trivial for a spyware author to recompile his program and change some of the strings around so that it's no longer detected by antivirus software, or even compress it with a new/modified executeable packer. Remember malware has to be released to the wild and actually infect a rather large number of people before the antivirus/spyware authors will get hold of a copy, analyse it and include a signatu

Because I have a firewall (NON-XP-SP2) and a Linux gateway with another firewall and packet sniffers... I would see the traffic.

Sure one could get polymorphic virii, and do all sorta funny stuff. But mostly their memory footprint (or key parts thereof) remain the same or similar to existing virii and spyware. Good Virii and spyware detection software can detect derivatives even before they were programmed to.

I think that someone is spoofing a delivery failure email because the body is almost always a virus of somekind. Perhaps the spoofer is thinking that a delivery failure will make it past Bayesian filters.

The bounces you're getting are from other spam using you as the From address. Spam sent from your machine would have random addresses not necessarily your own. But you might still have a trojan running that could be used to send spam so you should check.

Why not run a free firewall and watch for any alerts that something is trying to connect to the internet? Zonealarm will do fine.

If you're a bit more techie you can use winpcap or similar to capture the traffic.

There's no excuse to be wide open. You'll soon do something about it when your ISP wakes up to the problem and cuts you off. I appreciate how people can get caught inadvertantly by malware (I was hosting a trojan for a few hours last week inbetween upgrades) but I don't appreciate you leaving it th

Most likely your email address is getting used as the return address and little more - the returned mail thing affects everyone to some degree. If you were being used as a spam zombie, you'd probably not notice any change in returned mails, as the zombies generally use someone else's address again as the return addy. I'm fairly sure the return addresses aren't always randomised, as on my domains I see a bucketload of spam all from the same email address, so whoever lives there must be getting a bucketful of bounces.

Still, you really should get an antivirus solution to ease your worries. I use AVG from Grisoft [grisoft.com], which is available in a free edition.

Of course, the bounces are plain annoying - when I get ACTUAL bounces from mail I send, I often delete them based on subject line, not realising that the person I was trying to contact is none the wiser. Booo

My e-mail address keebler@mindspring.com [mailto], has been around since 1994, and very often used unobscured during those early years. It is quite well known to spammers and is often used as a forged header. My father recently recieved an ActiveX virus sent using my address in the "From:" field. He was suspicious, as I know how to spell and form sentences like a native English speaker, and don't send him attachments other than amusing.jpegs

But I'm scared of my more technically naive mother getting zapped this

You're running Windows 98 with no virus software. I'm surprised you can use the machine at all. I constantly get requests from people to clean up their Win98 machines. They are usually riddled with spyware, trojans and diallers. Don't bother with new antivirus. Get a new operating system.

For a long time (5+ years) I ran Windows 98 because I couldn't get online under any other operating system (and I tried a lot of them) and couldn't afford a $60 dialup modem that would allow me to do so.

For a large part of that time I ran no firewall, used an online remote virus scanner sporadically at best, and reinstalled only once. In all that time, my computer contracted only one virus (a non-serious one at that), and this was due to a less computer-savvy relation of mine browsing the internet using I

You're running Windows 98 with no virus software. I'm surprised you can use the machine at all.

I run MS Windows 95 with no anitvirus or firewall, and don't have any problem at all with viruses, etc.All I did was turn off everything that can be used to compromise my machine (e.g., closed port 135, turned off NetBIOS over TCP/IP, etc.).I also have disabled scripting, plugins, etc., in my browser (Mozilla) and in my mail and news readers (Outlook Express, Mozilla and Forte Free Agent).(I do have a proxy serv

It's also a good idea to look you ip up [dshield.org] on dshield [dshield.org]. They aggregate firewall logs from many sources. If your IP is causing someone trouble, it is likely to show up there. Another similar service is mynetwatchman [mynetwatchman.com].

but if you're running a win98 without firewalling/serious tweaking....you're probably owned or at least at risk. though in all fairness they're probably some other spammers who just happen to use your mail add as the sender.

Why is he owned if he uses 98? My impression has been that 98 is _safer_ - WinNT/2k/XP all have all these fun services that can be exploited, where 98 doesn't. Granted, if you run IE or the like all bets are off.

We get bounces to the support address at the company I work at all the time. Someone has decided to use our support address as the 'from:' address in their crappy spam. Anytime they send it to a non-existant address, we get the bounce. Our system is updated and locked down, so they aren't coming from us, but YMMV.

Either way, I'd suggest running that address through a spam block of some kind to filter out the crud or just give it up entirely if you can.

OK. I'm a dual booting guy. Obviously my linux, which I use mostly, has no problems. However, my windows install also has no problems. I only got a virus once ever because after a clean XP install a worm got to me before I got to windowsupdate.

The point is that you do NOT need anti-virus software. Anti-virus anti-spyware software should be used only to cleanup already busted systems. Your system cannot be infected if you take proper care to prevent it. Even if you are running windows on a cable modem all day.

1) NEVER download an e-mail attachment.2) Use Firefox instead of IE.3) Use Thunderbird instead of Outlook4) Do NOT visit untrustworthy websites5) Do NOT download any software from the internet and install it. Even if it looks trusty from tucows or download.com do a google search to see if it it spyware first.6) Have a firewall like zone alarm or sygate, or better have another computer between you and the net with a firewall on it. Or have a hardware firewall. Proper network level security keeps the worms out almost guaranteed.7) If you have wireless lock it down. You don't want a drive by person to start sending spam out your pipe.8) DO get all the windows updates that are security fixes. The ones that aren't security fixes you can choose to get or not get at your own discretion.

If you do those things then there is almost no way you can get hit. It's really that simple. And if you DO get hit, its usually easier to re-install due to the degrading nature of windows. Any windows install, even a clean one, falls apart over time. The registry fills with more and more junk. Improperly uninstalled apps leave files behind here and there. Hidden variables change and are not changed back. Even the cleanest installs seem to last at most 18 to 24 months except in very controlled business environments.

Dont pay for anti-virus software, its a ripoff. Just re-install and then take proper preventative measures so it doesn't happen again.

If I might amend that a little because they are all good points but missing something:

0) Do not run Windows 98. This is the year 2004. 1998 was released 6 years ago. Microsoft have released three (3!) major desktop operating system revisions since then. If you thought MS was bad for security now, try and remember what they were like 6 years ago!

If you won't pay for Windows XP, I am certain that you can get a free operating system that will do all the things you can do with your Windows 98 install. Y

Except for the part about degradation of the registry. Look, I've got systems that are running Win 98SE and even 2 still running Win 95.

One of the Win 95 machines has been running for 7 YEARS without having to reload the OS. I have swapped hardware in and out, and changed drivers. The last time the OS was changed was when I put the 6 Gig drive in (1997) and I needed to upgrade from Win 95 ver B to ver C (B didn't support drives that big).

Insufficient. If you hook Windows directly up to broadband to get WindowsUpdate running, you have a good chance of being infected before you are patched. Software firewalls don't block everything, so Step 6 is insufficient, unless you have a machine proxying, NATting firewall or a true firewall. Even then you put a vulnerable machine on your local network, which may have unpleasant surprises in store for you.

A better option is for step 8 becomes: get all windows updates and security fixes ON CD, because ot

NEVER download an email attachment.
Then how are you supposed to open it? People do send legitimate attachments.

Do NOT visit untrustworthy sites
What exactly is a trustworthy site these days? Javascript and even HTML have been used to download malicious code. Even well known and respected sites have been affected.

Proper network level security keeps the worms out almost guaranteed.
Worms yes, because they infect networks. But viruses and trojan horses infect machines.

Unfortunately Firefox isn't the cure-all for avoiding web viruses. I haven't had a virus on a machine for years, but just last week a site somehow opened Internet Explorer from Firefox and thus installed some dialers and crap.

Since the SMTP protocol doesn't have any authentication of the sender (except within an ISP/Domain with SMTP-AUTH), it's easy for a spammer/virus to send mail pretending to be you. That's called a 'joe-job' after one of the early occurrences of it.A recently proposed solution (though not without it's problems) is SPF (Sender Policy Framework) http://spf.pobox.com/ [pobox.com] where a domain owner can publish the list of servers which are authorized to send mail as being from a user of their domain.Until it's widely deployed, not just on the publishing side, but on the checking side, it won't be real useful. However it's nearly trivial for the DNS owner to publish the records and since big ISPs like AOL and Yahoo are starting to check them it does protect you from being Joe-Jobbed to a large number of mailboxes.

Housecall is a web-based virus scanner that, since it is loaded anew every time, always has the latest virus definitions. Since it installs nothing but temporary cache files, you dont have to worry about it slowing down your machine.

Because of the nature of the application it can't always clean the offending virii/malware, but it will at least alert you to their presence and give you their names so that you can manually remove them. When combined with stinger [nai.com], spybot [safer-networking.org] and google [google.com] it's an excellent choice for on-site calls to machines without AV or for your old boxen that just cant afford the extra cycles for full-time AV bloat.

If you prefer to do the offline thing, try the Knoppix anti-virus distribution [oreillynet.com] (weak link I know). Once again it isn't a permanently installed application and since the OS isn't running it can slap down bugs before they're loaded into memory.

I've used housecall a few times to scan some machines. I works pretty well, and since it's web based you don't have to install anything. The downside is that it's for IE only so it may not be an option for some (hopefully many).

For offline scanning, I'll repeat the numerous recommendations for Grisoft's AVG free scannerhttp://www.grisoft.com/us/us_index.phpA fter testing it on a few machines, were planning to purchase the server edition to scan all incoming email befo

Most of the posts haven't really been answering the question. Most of the posts have been helpful advice about how to stop being a spam-zombie, but haven't been answering whether or not he currently is one.

With apologies, because the connection I just made to them was a bit slow, there are:http://openrbl.org/http://moensted.dk/spam/http://www.dnsstuff.com/tools/ip4r.ch

Unfortunately my domain is in there, because it really refers to my ISP-assigned IP, and their whole block is listed.

Everyone else already said you most likely aren't infected, but if your machine is totally unsecured, the first thing I'd recommend is getting a good software firewall installed and running. There are many different products out there with prices varying from free to darn expensive. I'll let someone else link to them for Karma.:)If you practice reasonably safe internet usage (e.g. not opening attachments you aren't expecting, not visiting websites from random links, not visiting shady websites) then your

If the originating ip address matches your ISP, there's a good chance, though as others here have said, most of the time, these bounces are from spam that uses one address from its mailing list for the "TO" header and another for the "FROM" header.

NEVER run Windows without solid anti-virus. If something on your machine is interfering with the anti-virus, fix your machine until anti-virus runs. If your anti-virus interferes with something else, don't run that something else. Seriously. It's that dangerous.

I run a Windows 98 laptop, sometimes wirelessly connected to broadband (a few hours a day, on average), but I had to remove my virus software years ago because it was locking my system up, so I'm wide open. I've tried to be a good citizen and have been shopping for new virus software, but prices are running $40-$70, and most of these are just for upgrades (not even counting the mandatory 'subscriptions')!

If you have a Windows 98 machine with no anti-virus software, then stay off of the Internet. Period. You have no right to endanger and inconvenience others just because you're too cheap/poor to buy anti-virus software and too computer-illiterate to type "free antivirus software" into Google (hint).

So you are the guy telling people to download random software from the internet and install it. Thank you very much.

Ever heard of a review? How goddamned hard is it to do a little research on your own? Apparently too hard, so here' a link [pcworld.com] to a PC World review of free anti-virus software. But you're too clever to fall for that, aren't you? You figured out that Grisoft, Alwil, and H+BEDV Datentechnik GmbH (makers of AVG, Avast, and AntiVir anti-virus software respectively) are all providing free-for-per

i was not referring to that software, just your suggestions to use google.

What's wrong with using a search engine to search for things? That seems pretty logical to me. You search for "free antivirus software", click on the links, search for reviews of packages that look promising, and choose one based on your research.

Just because something comes up high in the google results does not mean it is safe.

I never said that a high rank in Google meant something was safe, did I?

yup, because blaster, sasser, sobig and mydoom all were able to infect '98 machines. oh wait, what's that they didn't? it's actually the windows XP machines which were infected oops i guess your arguement just got shot to hell.

You really are as dumb as a bag of rocks, aren't you? Do you have any idea of the number of exploits that have affected Windows 98 boxes? Any idea at all? Didn't think so. Did I say that Windows XP machin

actually since I ran windows 98 and ME for several years i would know, not once did i get attacked by a remote exploit, now sure there are lots of ways for an infected executable or a local user to escalate privlidges, due to almost no isolation of processes, but win 9x is nearly impenetrable from the outside since it does not run network services the way NT/200(0|3)/XP does... speaking of dumb as a bag (box?) of rocks

actually since I ran windows 98 and ME for several years i would know, not once did i get attacked by a remote exploit

So what? Most viruses/worms come in through exploits in Internet Explorer, Outlook Express scripting, e-mail attachments, the disk that Billy brought home from his friend's house, the "cute" attachment that cousin Millie e-mailed, etc.

now sure there are lots of ways for an infected executable or a local user to escalate privlidges, due to almost no isolation of processes, but win 9x is

Which is why you can advise them NOT to run those pieces of crap (use Firefox+Thunderbird or just Mozilla) and they'll be immune to most things.

Go to the average user's home and just look at the amount of spyware, adware, etc. on their system and you'll be horrified. You can give them all of the advice that you want, but as soon as some web site promises a nifty toolbar or some other free thing, they download it. Or they will open the attachment with the dancing baby sent by Aunt Millie, unaware that it

While running Win98 naked is about as wise as, well, running naked, this may not be the source of those bounce messages. IOW, by themselves they do not indicate that your box is a spam zombie.

I get boatloads of these things, as well as spam (filtering is your friend) -- my email address is fairly public and in a lot of address books. I'm not about to abandon it as it's within a domain I lease.

I run behind a fairly hardened firewall, and am moving towared a Linux iptables-based firewall/router/home server.

What ticks me off is when such a message bounce indicates that the original message contained a virus. How dare someone accuse me of sending a virus just because their mail daemon received a spoofed From: header? They could at least check the route the mail took against that header to get an idea if it's bogus. But, often automatic smam/virus filters are pretty stupid and trust the From: address. Still, I wonder if someone, somewhere, "out there" is blacklisting me because someone else forged my identity. Sounds like a defamation suit if I could find the bastards.

And that's the rub. Often when I've received such bounces, when the originator can be identified, they refuse to help in providing a copy of the original email, headers intact, that might permit tracking down the source: either a spammer, or a spam-zombie. I wonder if I could sucessfully file "theft of computer services" charges against such an organization: they're sending me unsolicited bounces, and furthermore, refusing to backup the allegation that they're bouncing messages from me. I wonder if the anti-spam legislation that's out there can be used as a club against those who send bounces to spoofed From: addresses and refuse to acknowledge or correct their mistake.

I'm not talking about any of the email headers. I'm talking about the actual IP address of the email filter that contacted my SMTP server with the bogus bounce: it, unfortunately, trusted the From: address.

Now, this could come from a zombie, or an SMTP proxy, but in either case, there exists a party that can be held responsible

HijackTHIS - Find out whats in your PC. (semi-advanced)The site for HiJackThis [spywareinfo.com] seems to be down for now. THere are a few other little nifty freebie aps in there, too. Heres a mirror download site [spychecker.com]

Elitist attitudes like this are always amusing to me... Requests for this guy to search google don't answer his question... He wants to know what we, a group of tech savvy folk, recommend. It's harder for google to answer that directly than a simple ask slashdot. To all the moaners out there, stop reading Ask Slashdot or just stop reading the site alltogether. Questions like these are how people learn, and serve as starting point for disscusion here.

We should never insult folks for asking "stupid" questions, but rather admire the courage it took to ask.

I agree. This one is an okay question. However that question from the guy who couldn't figure out how to block the light from an LED was outrageously stupid. A good proportion of these Ask Slashdot questions are rather dumb, so I can sympathize with this guy's response.

If this guy had spent even 5 seconds on Google, he'd KNOW there are free virus scanners for Windows all over the place. The first entire page of results for "free virus scanner" are all free virus scanners for Windows.

This guy just didn't put in any effort at all.

For the record, I recommend AVG Antivirus and Sygate Personal Firewall. ZoneAlarm might look pretty, but it's hard to configur

Bounce messages are completely non-indicative of spam zombie status. I would bet my entire life savings that his email address is in the list of fake address that various mailer worms or spam programs use as the fake "From:" header. Sometimes those lists are automagically pulled from internet searches. So that way he gets innundated with bounce messages, not the spammer.

He probably just used his email address online once, or sent email to someone who's infected. Now his email address is seen as a good defl

Windows (and other reasonably complex OSs) often get very busy for reasons difficult to discern. My old, crap laptop gets all but frozen when it starts swapping in earnest, or during dramatic GC sweeps. I've learned when to expect these, though.

Also, my DSL modem has a "WAN" light, but nothing to say what's coming in vs going out. Turning logging on demonstrated that nearly all unaccountable activity was incoming probes, and I breathed easier. I also helped more than one sysadmin/netadmin identify zom